diff --git a/files/keystone_data.sh b/files/keystone_data.sh index e292811148..958d2af4f2 100755 --- a/files/keystone_data.sh +++ b/files/keystone_data.sh @@ -1,165 +1,149 @@ #!/bin/bash -# Tenants +# +# Initial data for Keystone using python-keystoneclient +# +# A set of EC2-compatible credentials is created for both admin and demo +# users and placed in $DEVSTACK_DIR/ec2rc. +# +# Tenant User Roles +# ------------------------------------------------------- +# admin admin admin +# service glance admin +# service nova admin +# service quantum admin # if enabled +# service swift admin # if enabled +# demo admin admin +# demo demo Member,sysadmin,netadmin +# invisible_to_admin demo Member +# +# Variables set before calling this script: +# SERVICE_TOKEN - aka admin_token in keystone.conf +# SERVICE_ENDPOINT - local Keystone admin endpoint +# SERVICE_TENANT_NAME - name of tenant containing service accounts +# ENABLED_SERVICES - stack.sh's list of services to start +# DEVSTACK_DIR - Top-level DevStack directory + +ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete} +SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD} export SERVICE_TOKEN=$SERVICE_TOKEN export SERVICE_ENDPOINT=$SERVICE_ENDPOINT +SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service} function get_id () { - echo `$@ | grep ' id ' | awk '{print $4}'` + echo `$@ | awk '/ id / { print $4 }'` } -# Detect if the keystone cli binary has the command names changed -# in https://review.openstack.org/4375 -# FIXME(dtroyer): Remove the keystone client command checking -# after a suitable transition period. add-user-role -# and ec2-create-credentials were renamed -if keystone help | grep -q user-role-add; then - KEYSTONE_COMMAND_4375=1 -fi - -ADMIN_TENANT=`get_id keystone tenant-create --name=admin` -SERVICE_TENANT=`get_id keystone tenant-create --name=$SERVICE_TENANT_NAME` -DEMO_TENANT=`get_id keystone tenant-create --name=demo` -INVIS_TENANT=`get_id keystone tenant-create --name=invisible_to_admin` +# Tenants +ADMIN_TENANT=$(get_id keystone tenant-create --name=admin) +SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME) +DEMO_TENANT=$(get_id keystone tenant-create --name=demo) +INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin) # Users -ADMIN_USER=`get_id keystone user-create \ - --name=admin \ - --pass="$ADMIN_PASSWORD" \ - --email=admin@example.com` -DEMO_USER=`get_id keystone user-create \ - --name=demo \ - --pass="$ADMIN_PASSWORD" \ - --email=admin@example.com` +ADMIN_USER=$(get_id keystone user-create --name=admin \ + --pass="$ADMIN_PASSWORD" \ + --email=admin@example.com) +DEMO_USER=$(get_id keystone user-create --name=demo \ + --pass="$ADMIN_PASSWORD" \ + --email=demo@example.com) # Roles -ADMIN_ROLE=`get_id keystone role-create --name=admin` -MEMBER_ROLE=`get_id keystone role-create --name=Member` -KEYSTONEADMIN_ROLE=`get_id keystone role-create --name=KeystoneAdmin` -KEYSTONESERVICE_ROLE=`get_id keystone role-create --name=KeystoneServiceAdmin` -SYSADMIN_ROLE=`get_id keystone role-create --name=sysadmin` -NETADMIN_ROLE=`get_id keystone role-create --name=netadmin` +ADMIN_ROLE=$(get_id keystone role-create --name=admin) +KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin) +KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin) +SYSADMIN_ROLE=$(get_id keystone role-create --name=sysadmin) +NETADMIN_ROLE=$(get_id keystone role-create --name=netadmin) -if [[ -n "$KEYSTONE_COMMAND_4375" ]]; then - # Add Roles to Users in Tenants - keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT - keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT - keystone user-role-add --user $DEMO_USER --role $SYSADMIN_ROLE --tenant_id $DEMO_TENANT - keystone user-role-add --user $DEMO_USER --role $NETADMIN_ROLE --tenant_id $DEMO_TENANT - keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT - keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT +# Add Roles to Users in Tenants +keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT +keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT +keystone user-role-add --user $DEMO_USER --role $SYSADMIN_ROLE --tenant_id $DEMO_TENANT +keystone user-role-add --user $DEMO_USER --role $NETADMIN_ROLE --tenant_id $DEMO_TENANT - # TODO(termie): these two might be dubious - keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT - keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT -else - ### compat - # Add Roles to Users in Tenants - keystone add-user-role $ADMIN_USER $ADMIN_ROLE $ADMIN_TENANT - keystone add-user-role $DEMO_USER $MEMBER_ROLE $DEMO_TENANT - keystone add-user-role $DEMO_USER $SYSADMIN_ROLE $DEMO_TENANT - keystone add-user-role $DEMO_USER $NETADMIN_ROLE $DEMO_TENANT - keystone add-user-role $DEMO_USER $MEMBER_ROLE $INVIS_TENANT - keystone add-user-role $ADMIN_USER $ADMIN_ROLE $DEMO_TENANT +# TODO(termie): these two might be dubious +keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT +keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT + + +# The Member role is used by Horizon and Swift so we need to keep it: +MEMBER_ROLE=$(get_id keystone role-create --name=Member) +keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT +keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT - # TODO(termie): these two might be dubious - keystone add-user-role $ADMIN_USER $KEYSTONEADMIN_ROLE $ADMIN_TENANT - keystone add-user-role $ADMIN_USER $KEYSTONESERVICE_ROLE $ADMIN_TENANT - ### -fi # Services -keystone service-create \ - --name=nova \ - --type=compute \ - --description="Nova Compute Service" -NOVA_USER=`get_id keystone user-create \ - --name=nova \ - --pass="$SERVICE_PASSWORD" \ - --tenant_id $SERVICE_TENANT \ - --email=nova@example.com` +keystone service-create --name=keystone \ + --type=identity \ + --description="Keystone Identity Service" + +keystone service-create --name=nova \ + --type=compute \ + --description="Nova Compute Service" +NOVA_USER=$(get_id keystone user-create --name=nova \ + --pass="$SERVICE_PASSWORD" \ + --tenant_id $SERVICE_TENANT \ + --email=nova@example.com) keystone user-role-add --tenant_id $SERVICE_TENANT \ - --user $NOVA_USER \ - --role $ADMIN_ROLE + --user $NOVA_USER \ + --role $ADMIN_ROLE -keystone service-create \ - --name=ec2 \ - --type=ec2 \ - --description="EC2 Compatibility Layer" +keystone service-create --name=ec2 \ + --type=ec2 \ + --description="EC2 Compatibility Layer" -keystone service-create \ - --name=glance \ - --type=image \ - --description="Glance Image Service" -GLANCE_USER=`get_id keystone user-create \ - --name=glance \ - --pass="$SERVICE_PASSWORD" \ - --tenant_id $SERVICE_TENANT \ - --email=glance@example.com` +keystone service-create --name=glance \ + --type=image \ + --description="Glance Image Service" +GLANCE_USER=$(get_id keystone user-create --name=glance \ + --pass="$SERVICE_PASSWORD" \ + --tenant_id $SERVICE_TENANT \ + --email=glance@example.com) keystone user-role-add --tenant_id $SERVICE_TENANT \ - --user $GLANCE_USER \ - --role $ADMIN_ROLE - -keystone service-create \ - --name=keystone \ - --type=identity \ - --description="Keystone Identity Service" + --user $GLANCE_USER \ + --role $ADMIN_ROLE if [[ "$ENABLED_SERVICES" =~ "n-vol" ]]; then - keystone service-create \ - --name="nova-volume" \ - --type=volume \ - --description="Nova Volume Service" + keystone service-create --name="nova-volume" \ + --type=volume \ + --description="Nova Volume Service" fi if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then - keystone service-create \ - --name=swift \ - --type="object-store" \ - --description="Swift Service" - SWIFT_USER=`get_id keystone user-create \ - --name=swift \ - --pass="$SERVICE_PASSWORD" \ - --tenant_id $SERVICE_TENANT \ - --email=swift@example.com` + keystone service-create --name=swift \ + --type="object-store" \ + --description="Swift Service" + SWIFT_USER=$(get_id keystone user-create --name=swift \ + --pass="$SERVICE_PASSWORD" \ + --tenant_id $SERVICE_TENANT \ + --email=swift@example.com) keystone user-role-add --tenant_id $SERVICE_TENANT \ - --user $SWIFT_USER \ - --role $ADMIN_ROLE + --user $SWIFT_USER \ + --role $ADMIN_ROLE fi + if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then - keystone service-create \ - --name=quantum \ - --type=network \ - --description="Quantum Service" - QUANTUM_USER=`get_id keystone user-create \ - --name=quantum \ - --pass="$SERVICE_PASSWORD" \ - --tenant_id $SERVICE_TENANT \ - --email=quantum@example.com` + keystone service-create --name=quantum \ + --type=network \ + --description="Quantum Service" + QUANTUM_USER=$(get_id keystone user-create --name=quantum \ + --pass="$SERVICE_PASSWORD" \ + --tenant_id $SERVICE_TENANT \ + --email=quantum@example.com) keystone user-role-add --tenant_id $SERVICE_TENANT \ - --user $QUANTUM_USER \ - --role $ADMIN_ROLE + --user $QUANTUM_USER \ + --role $ADMIN_ROLE fi # create ec2 creds and parse the secret and access key returned -if [[ -n "$KEYSTONE_COMMAND_4375" ]]; then - RESULT=`keystone ec2-credentials-create --tenant_id=$ADMIN_TENANT --user=$ADMIN_USER` -else - RESULT=`keystone ec2-create-credentials --tenant_id=$ADMIN_TENANT --user_id=$ADMIN_USER` -fi - echo `$@ | grep id | awk '{print $4}'` -ADMIN_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'` -ADMIN_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'` +RESULT=$(keystone ec2-credentials-create --tenant_id=$ADMIN_TENANT --user=$ADMIN_USER) +ADMIN_ACCESS=$(echo "$RESULT" | awk '/ access / { print $4 }') +ADMIN_SECRET=$(echo "$RESULT" | awk '/ secret / { print $4 }') - -if [[ -n "$KEYSTONE_COMMAND_4375" ]]; then - RESULT=`keystone ec2-credentials-create --tenant_id=$DEMO_TENANT --user=$DEMO_USER` -else - RESULT=`keystone ec2-create-credentials --tenant_id=$DEMO_TENANT --user_id=$DEMO_USER` -fi -DEMO_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'` -DEMO_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'` +RESULT=$(keystone ec2-credentials-create --tenant_id=$DEMO_TENANT --user=$DEMO_USER) +DEMO_ACCESS=$(echo "$RESULT" | awk '/ access / { print $4 }') +DEMO_SECRET=$(echo "$RESULT" | awk '/ secret / { print $4 }') # write the secret and access to ec2rc cat > $DEVSTACK_DIR/ec2rc <